Re: kern/48945: CARP preempt is not working

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

The following reply was made to PR kern/48945; it has been noted by GNATS.

From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%NetBSD.org@localhost, gnats-admin%NetBSD.org@localhost, 
netbsd-bugs%NetBSD.org@localhost,
        netbsd%seirios.org@localhost
Subject: Re: kern/48945: CARP preempt is not working
Date: Wed, 25 Jun 2014 09:49:20 +0200

 On Wed, Jun 25, 2014 at 03:25:01AM +0000, HEO SeonMeyong wrote:
 >  [...]
 >  bouyer>  (that would be dangerous, you could end up with all interfaces in 
 > backup state
 >  bouyer>  on both routers).
 >  
 >      Followings are maybe off topic, sorry.
 >  
 >      I want to this works. I wrote rt-A/rt-B is a router, but in my real
 >      environment, rt-A and rt-B is router with Firewall(pf) and
 >      IDS(snort).
 >      So if rt-A and rt-B is asynmetric, pf and snort works limited
 >      because (for ex) Incomming traffic is pass through rt-A and outgoing
 >      traffic is pass through rt-B.
 
 this is what I don't get; why would traffic go to rt-B if rt-A is up ?
 And if rt-A is down, traffic won't go to it (there may be some time before
 the traffic switches from A to B while the switch's commutation table is
 updated).
 I have a setup similar to yours, and AFAIK if an interface on rt-A goes
 down, all traffic is redirected to rt-B.
 
 >      I think(or hope) pfsync is avoidance of this limitation, but snort
 >      has no avoidance method.
 
 in my setup both routers are stateless: ipf rules are stateless 
 (well, almost, there's some state for some UDP traffic but it's not a
 big deal to loose a few packets here) and they don't do anything else.
 
 -- 
 Manuel Bouyer <bouyer%antioche.eu.org@localhost>
      NetBSD: 26 ans d'experience feront toujours la difference
 --